{
  "title":"'SameSite' cookie attribute",
  "description":"Same-site cookies (\"First-Party-Only\" or \"First-Party\") allow servers to mitigate the risk of CSRF and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.",
  "spec":"https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-07",
  "status":"other",
  "links":[
    {
      "url":"http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/",
      "title":"Preventing CSRF with the same-site cookie attribute"
    },
    {
      "url":"https://bugzilla.mozilla.org/show_bug.cgi?id=795346",
      "title":"Mozilla Bug #795346: Add SameSite support for cookies"
    },
    {
      "url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1286861",
      "title":"Mozilla Bug #1286861, includes the patches that landed SameSite support in Firefox"
    },
    {
      "url":"https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/17140412-support-samesite-cookie-option",
      "title":"Microsoft Edge feature request on UserVoice"
    },
    {
      "url":"https://developer.microsoft.com/en-us/microsoft-edge/status/samesitecookies/",
      "title":"Microsoft Edge Browser Status"
    },
    {
      "url":"https://blogs.windows.com/msedgedev/2018/05/17/samesite-cookies-microsoft-edge-internet-explorer/",
      "title":"MS Edge dev blog: \"Previewing support for same-site cookies in Microsoft Edge\""
    },
    {
      "url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1551798",
      "title":"Mozilla Bug #1551798: Prototype SameSite=Lax by default"
    },
    {
      "url":"https://peaceful-wing.glitch.me",
      "title":"Same-site cookies demonstration by Rowan Merewood"
    }
  ],
  "bugs":[
    {
      "description":"On [Safari in macOS before 10.14.4 and iOS before 12.2](https://bugs.webkit.org/show_bug.cgi?id=188165#c43), some authentication flows with a cross-site identity provider might fail when `SameSite=Lax` is used. See [the explanation and a workaround.](https://brockallen.com/2019/01/11/same-site-cookies-asp-net-core-and-external-authentication-providers/)"
    },
    {
      "description":"On [Safari before 12.1.1 and iOS before 12.3](https://trac.webkit.org/changeset/241918/webkit), manually visiting a redirection link to a cross-site omits `Lax` cookies from the cross-site request. See [the bug.](https://bugs.webkit.org/show_bug.cgi?id=196375)"
    }
  ],
  "categories":[
    "Security"
  ],
  "stats":{
    "ie":{
      "5.5":"n",
      "6":"n",
      "7":"n",
      "8":"n",
      "9":"n",
      "10":"n",
      "11":"a #1 #2"
    },
    "edge":{
      "12":"n",
      "13":"n",
      "14":"n",
      "15":"n",
      "16":"y #1",
      "17":"y #1",
      "18":"y",
      "79":"y",
      "80":"y",
      "81":"y",
      "83":"y",
      "84":"y",
      "85":"y",
      "86":"y #3",
      "87":"y #3",
      "88":"y #3",
      "89":"y #3",
      "90":"y #3",
      "91":"y #3",
      "92":"y #3",
      "93":"y #3",
      "94":"y #3",
      "95":"y #3",
      "96":"y #3"
    },
    "firefox":{
      "2":"n",
      "3":"n",
      "3.5":"n",
      "3.6":"n",
      "4":"n",
      "5":"n",
      "6":"n",
      "7":"n",
      "8":"n",
      "9":"n",
      "10":"n",
      "11":"n",
      "12":"n",
      "13":"n",
      "14":"n",
      "15":"n",
      "16":"n",
      "17":"n",
      "18":"n",
      "19":"n",
      "20":"n",
      "21":"n",
      "22":"n",
      "23":"n",
      "24":"n",
      "25":"n",
      "26":"n",
      "27":"n",
      "28":"n",
      "29":"n",
      "30":"n",
      "31":"n",
      "32":"n",
      "33":"n",
      "34":"n",
      "35":"n",
      "36":"n",
      "37":"n",
      "38":"n",
      "39":"n",
      "40":"n",
      "41":"n",
      "42":"n",
      "43":"n",
      "44":"n",
      "45":"n",
      "46":"n",
      "47":"n",
      "48":"n",
      "49":"n",
      "50":"n",
      "51":"n",
      "52":"n",
      "53":"n",
      "54":"n",
      "55":"n",
      "56":"n",
      "57":"n",
      "58":"n",
      "59":"n",
      "60":"y",
      "61":"y",
      "62":"y",
      "63":"y",
      "64":"y",
      "65":"y",
      "66":"y",
      "67":"y",
      "68":"y",
      "69":"y",
      "70":"y",
      "71":"y",
      "72":"y",
      "73":"y",
      "74":"y",
      "75":"y",
      "76":"y",
      "77":"y",
      "78":"y",
      "79":"y",
      "80":"y",
      "81":"y",
      "82":"y",
      "83":"y",
      "84":"y",
      "85":"y",
      "86":"y",
      "87":"y",
      "88":"y",
      "89":"y",
      "90":"y",
      "91":"y",
      "92":"y",
      "93":"y",
      "94":"y",
      "95":"y",
      "96":"y",
      "97":"y"
    },
    "chrome":{
      "4":"n",
      "5":"n",
      "6":"n",
      "7":"n",
      "8":"n",
      "9":"n",
      "10":"n",
      "11":"n",
      "12":"n",
      "13":"n",
      "14":"n",
      "15":"n",
      "16":"n",
      "17":"n",
      "18":"n",
      "19":"n",
      "20":"n",
      "21":"n",
      "22":"n",
      "23":"n",
      "24":"n",
      "25":"n",
      "26":"n",
      "27":"n",
      "28":"n",
      "29":"n",
      "30":"n",
      "31":"n",
      "32":"n",
      "33":"n",
      "34":"n",
      "35":"n",
      "36":"n",
      "37":"n",
      "38":"n",
      "39":"n",
      "40":"n",
      "41":"n",
      "42":"n",
      "43":"n",
      "44":"n",
      "45":"n",
      "46":"n",
      "47":"n",
      "48":"n",
      "49":"n",
      "50":"n",
      "51":"y",
      "52":"y",
      "53":"y",
      "54":"y",
      "55":"y",
      "56":"y",
      "57":"y",
      "58":"y",
      "59":"y",
      "60":"y",
      "61":"y",
      "62":"y",
      "63":"y",
      "64":"y",
      "65":"y",
      "66":"y",
      "67":"y",
      "68":"y",
      "69":"y",
      "70":"y",
      "71":"y",
      "72":"y",
      "73":"y",
      "74":"y",
      "75":"y",
      "76":"y",
      "77":"y",
      "78":"y",
      "79":"y",
      "80":"y #3",
      "81":"y #3",
      "83":"y #3",
      "84":"y #3",
      "85":"y #3",
      "86":"y #3",
      "87":"y #3",
      "88":"y #3",
      "89":"y #3",
      "90":"y #3",
      "91":"y #3",
      "92":"y #3",
      "93":"y #3",
      "94":"y #3",
      "95":"y #3",
      "96":"y #3",
      "97":"y #3",
      "98":"y #3",
      "99":"y #3"
    },
    "safari":{
      "3.1":"n",
      "3.2":"n",
      "4":"n",
      "5":"n",
      "5.1":"n",
      "6":"n",
      "6.1":"n",
      "7":"n",
      "7.1":"n",
      "8":"n",
      "9":"n",
      "9.1":"n",
      "10":"n",
      "10.1":"n",
      "11":"n",
      "11.1":"n",
      "12":"a #4 #5",
      "12.1":"a #4 #5",
      "13":"a #4 #5",
      "13.1":"a #4 #5",
      "14":"a #5",
      "14.1":"y",
      "15":"y",
      "15.1":"y",
      "TP":"y"
    },
    "opera":{
      "9":"n",
      "9.5-9.6":"n",
      "10.0-10.1":"n",
      "10.5":"n",
      "10.6":"n",
      "11":"n",
      "11.1":"n",
      "11.5":"n",
      "11.6":"n",
      "12":"n",
      "12.1":"n",
      "15":"n",
      "16":"n",
      "17":"n",
      "18":"n",
      "19":"n",
      "20":"n",
      "21":"n",
      "22":"n",
      "23":"n",
      "24":"n",
      "25":"n",
      "26":"n",
      "27":"n",
      "28":"n",
      "29":"n",
      "30":"n",
      "31":"n",
      "32":"n",
      "33":"n",
      "34":"n",
      "35":"n",
      "36":"n",
      "37":"n",
      "38":"n",
      "39":"y",
      "40":"y",
      "41":"y",
      "42":"y",
      "43":"y",
      "44":"y",
      "45":"y",
      "46":"y",
      "47":"y",
      "48":"y",
      "49":"y",
      "50":"y",
      "51":"y",
      "52":"y",
      "53":"y",
      "54":"y",
      "55":"y",
      "56":"y",
      "57":"y",
      "58":"y",
      "60":"y",
      "62":"y",
      "63":"y",
      "64":"y",
      "65":"y",
      "66":"y",
      "67":"y",
      "68":"y",
      "69":"y",
      "70":"y",
      "71":"y #3",
      "72":"y #3",
      "73":"y #3",
      "74":"y #3",
      "75":"y #3",
      "76":"y #3",
      "77":"y #3",
      "78":"y #3",
      "79":"y #3",
      "80":"y #3",
      "81":"y #3",
      "82":"y #3"
    },
    "ios_saf":{
      "3.2":"n",
      "4.0-4.1":"n",
      "4.2-4.3":"n",
      "5.0-5.1":"n",
      "6.0-6.1":"n",
      "7.0-7.1":"n",
      "8":"n",
      "8.1-8.4":"n",
      "9.0-9.2":"n",
      "9.3":"n",
      "10.0-10.2":"n",
      "10.3":"n",
      "11.0-11.2":"n",
      "11.3-11.4":"n",
      "12.0-12.1":"a #5",
      "12.2-12.5":"a #5",
      "13.0-13.1":"y",
      "13.2":"y",
      "13.3":"y",
      "13.4-13.7":"y",
      "14.0-14.4":"y",
      "14.5-14.8":"y",
      "15.0-15.1":"y"
    },
    "op_mini":{
      "all":"n"
    },
    "android":{
      "2.1":"n",
      "2.2":"n",
      "2.3":"n",
      "3":"n",
      "4":"n",
      "4.1":"n",
      "4.2-4.3":"n",
      "4.4":"n",
      "4.4.3-4.4.4":"n",
      "96":"y"
    },
    "bb":{
      "7":"n",
      "10":"n"
    },
    "op_mob":{
      "10":"n",
      "11":"n",
      "11.1":"n",
      "11.5":"n",
      "12":"n",
      "12.1":"n",
      "64":"y"
    },
    "and_chr":{
      "96":"y #3"
    },
    "and_ff":{
      "94":"y"
    },
    "ie_mob":{
      "10":"n",
      "11":"n"
    },
    "and_uc":{
      "12.12":"n"
    },
    "samsung":{
      "4":"n",
      "5.0-5.4":"y",
      "6.2-6.4":"y",
      "7.2-7.4":"y",
      "8.2":"y",
      "9.2":"y",
      "10.1":"y",
      "11.1-11.2":"y",
      "12.0":"y",
      "13.0":"y",
      "14.0":"y",
      "15.0":"y"
    },
    "and_qq":{
      "10.4":"u"
    },
    "baidu":{
      "7.12":"y"
    },
    "kaios":{
      "2.5":"n"
    }
  },
  "notes":"This feature is backwards compatible. Browsers not supporting this feature will simply use the cookie as a regular cookie. There is no need to deliver different cookies to clients.",
  "notes_by_num":{
    "1":"Not shipped with the inital release but later with the 2018 June security update (Patch Tuesday) to Windows 10 RS3 (2017 Fall Creators Update) and newer. [More info](https://github.com/MicrosoftEdge/Status/issues/616).",
    "2":"Partial support because only supported in IE 11 on Windows 10 RS3 (2017 Fall Creators Update) and newer, but not in IE 11 on other Windows versions (Windows 7, ...)",
    "3":"Cookies without `SameSite` are treated as `Lax` by default, `SameSite=None` cookies without `Secure` are rejected.",
    "4":"Partial due to the lack of support in macOS before 10.14 Mojave.",
    "5":"Partial due to [the bug](https://bugs.webkit.org/show_bug.cgi?id=198181) that treats `SameSite=None` and invalid values as `Strict` in macOS before 10.15 Catalina and in iOS before 13."
  },
  "usage_perc_y":92.54,
  "usage_perc_a":2.4,
  "ucprefix":false,
  "parent":"",
  "keywords":"security,cookies,cookie,csrf",
  "ie_id":"",
  "chrome_id":"4672634709082112,5088147346030592,5633521622188032",
  "firefox_id":"",
  "webkit_id":"",
  "shown":true
}
